 So I've done individual videos on PF Blocker. I've done a video on Seracada. I've talked about how to set these up inside of PF Sense. And I've talked about segmenting your network. For example, in our case, we have our servers on their own separate network. That way they're locked down and it's easier to look through logs for a single network stream versus all the other noise that gets on the other networks. So when you're trying to focus on security and try to go through what's going on, you can lock down that network more tighter and it's a little bit less noise to punch through when you're doing things like analyzing Seracada. Now we self host a few things and so those are on that separate network and are exposed to the outside world so people can get to them. But obviously we don't want everybody getting to them. So what I wanna talk about today is even though you have all these things and some people may get this false sense of security which I never want people to have that you just load PF Blocker and Seracada and as long as the threat rules are up to date and the GUIP up to date for a block list and the IP reputation lists are up to date, you're good, right? Those are all reactive things. Now they're good, they're good to have. Security is all done in layers so it's not like they're not a good idea to have. They are just far from an end all solution and we're gonna point out something that was missed here by both Seracada and PF Blocker and it's because of the way and I don't know that it's an attack, I just know of the problem it caused and I wanna walk you through like the practical problems we run into even though we have these things here and how this kind of passed right through them. So like I said, I have PF Blocker, we block countries, we don't really do a lot of business and we block all the proxy satellites. Basically, all the places you just get a lot of attacks from Russia, China, so on and so forth where you see a high volume of attacks. We just block them all with PF Blocker so those IPs just automatically are blocked, that's fine. Let's move over to Seracada. We have a Snort feed going into it. Snort is a competing product for Seracada. They both, I'm not gonna get into the merits of each of them but both of them run off of Snort's feeds which upstream come from the Telos Security Group. They're the ones that maintain those feeds. And once again, these feeds are really good but they're once again reactive. So we try to determine whether or not these IPs are bad or whether or not the actions as they see them in these signatures will does this pattern of data coming through match a known signature or look like a signature because there's common ways people attack. Even though the stream is encrypted they're looking for kind of like a heuristic approach. They see things much better when you look at a non-encrypted stream of course because they can see more about what the data is but as the internet has become way more encrypted over the last few years especially with things like let's encrypt there's less visibility and especially when you start talking about the QIC protocol that actually blinds these things even more because it's all a bunch of UDP streams and it's a little bit harder to do any type of heuristics on UDP streams versus the TCP streams that we're looking at right here. So back to the reality of it and here's an IP that managed to get itself blocked. So 45, 55, 188, 183. We're gonna go over here to shodan.io which is the wonderful internet lookup and we look it up and say, okay it's a internet scanner hosted over at Djint Digital Ocean. What does it see? Backbone.js, Google font, API, gravitar, blah, blah a few different things that it's seeing running on there and it says this IP has been observed scanning the internet source with gray noise. So we look over at gray noise they're one of these companies that's collecting reputations and learning things about the internet by setting up probably a series of honey pots and kind of seeing what comes out there and going hey look at these guys are bad. So they're on the bad list they're not on the PF blocker list for whatever reason but they're also a digital ocean server so you don't want to just blanket block everything on digital ocean. If you did you would block our forums for example because that's where I'm hosting those but my forums aren't scanning but you kind of get the idea. This is actually within I believe close in proximity to where I'm hosting our current forums and those are hosted external not inside of our office here in Detroit but you can see that this is all the flow through okay it all stopped and only thing we really stopped someone was from scanning and scannings aren't necessarily the same as an attack they're reconnaissance missions and the reason a lot of people are on scanners they're gonna want to go hey what is the OS they're running what firewall is that can we make those determinations because if they can make that determination of what you're using the next step is to go is there an exploit against that particular model or brand firewall is you know is it a really old one patch and they can then try those attack factors so a lot of these noise makers on the internet that are out there scanning they're more of reconnaissance and making lists for later attack that's all fine and like I said that's the process for that now let's talk about the practical security of a couple things you ran into and how they affected us and how nothing about Saragata helps and nothing about PF Blocker helps and we had to start manually blocking some of these so let me show you and there's a really cool tool because everyone asked what tool I'm using for things the Go Access is a really neat command line log analyzer and I've got my logs in such a way that when I see any problems and I use Zabix to monitor my servers if I see a problem the server's under high load for mystery reasons we can use things like Go Access to go look at that and I see web server because we're running we self host screen connect or connect wise control depending on how you know the product that's our remote access tool that we do host in house so let's go over and take a look at the logs for that so here's Go Access and it's analyzing the log file seeing the hits from internal IP addresses and external IP addresses as they go here so here's actually our Zabix server which accounts for this this person here I don't know who this is at 747577.224 is just beaten up on my server for some reason these are internal IP addresses and things like that. The cool thing about Go Access is I'll actually open up screen connect and refresh it a couple of times on my side here use this is my IP address I have highlighted and you can see it actually updates it so every time I move around the screen connect and refresh this again you see another hit so internally these 192 addresses are the internal staff hitting it the 122 is Zabix monitoring it and this person I don't know what they're doing but they're not doing anything that matches any known nefarious signatures hence the reason nothing blocks them so let's go ahead and take a look and see if they're in gray list or one of these other places so let's go ahead and switch back over to this gray noise is a gray list put that IP address in search not found go over here show Dan and not found so that's where things get a little bit trickier this person's just banging away on my website they're not doing anything and I'm not going to go through the details of the raw log file but they're just hitting the website randomly and refreshing the page they're not even sending any commands so my guess it's maybe just a curl command running it's not sending a header or anything identifying it's just kind of unusual when we see these when we see these ones all we don't understand why cause literally they're just refreshing the webpage all the time is essentially what's going on there now this person wasn't causing me too much drama I just happened to open up the log file and see them there but there has been times in a past where we've actually noticed a server under high loads they have x alerted us going this is higher than usual and I said okay what's going on here and we pull up the logs and we found some other IP addresses in there let's talk about how that works and this is the practical security of how things go this is the offending one I should say the most offending one this one was going up to thousands of hits a second same thing no header information just refreshing the page I don't really know what their purpose was but Shodan has very little about them so we look at here they're marked as just not bad but something that Shodan has found they do have a port 443 open let's look at gray noise and see if they have anything on them nothing at all so they've not made any reputation lists that make us like try to block them so once again they pass right through unnoticed through Sericata there's nothing about them on different companies and there's a ton of different companies that do analysis on these but Shodan being one of the real big ones that keeping a log of stuff there's nothing about their reputation to make you think you'd block them but they decided to refresh my web server so hard that it caused a blip in it to make me notice them now there's rate limiting and things like that and one of the most important things about security is that we have all of our servers constantly up to date to protect us for many potential vulnerabilities and apache we don't hesitate at all we make sure our servers are auto updating which comes at the risk of course if you're patching every security update as they come out of having a potential go wrong I know someone's going to comment on that but I would rather be secure than insecure so we make sure all of our patches are loaded all the time and are checked every single day but this is one of those weird things where people will see an attack and they're like but why doesn't these other tools do it and this is where it's really hard to do analysis so you can really try to make some decisions based on rate limiting like how much can this one particular IP pull data from that one port but then it would create a problem for those IPs that are actually pulling data from the port you don't want to block them and because they're only refreshing the page not using the service they're not pulling as much data as someone using the service but they're weirdly refreshing a page so you have to focus security down on the apache and set up the moderate limits to say this one person can't refresh the page that many times but you kind of see the overall practical side of how the security works and it's not really anything that you can easily point your finger at and you can see how quickly something like this kind of spirals out of control if you will where there's a lot of functions a lot of things that you can look into but this is the practical side of security and what we see from not just ours I'm showing you ours because I can show you this we see this for clients where they have a publicly exposed server maybe that's even if it is hosted in the cloud and we kind of sort out why does this one IP attack it and then we put in a block for those IPs and the last thing I'll show you is how you block those people so these are the only IPs over time that have ever caused this weird issue that wasn't blocked by Sierra Cata so there's really not a lot in here and this IP address was the real bad offender this one was these ones were equally we're all doing at the same time but what you do is I create an alias and it's just called mainly blocked IP address and I said blocked IP address due to attacking and so we go ahead and throw them in here and from here we created a rule so first you start with the alias then we're gonna go ahead and create a rule and that rule starts with the action block you wanna make sure that you are blocking these people where do I block them interface when we don't have IPv6 turned on so we have it turned to just the IPv4 you can change that to both if you have both protocol any I don't care what protocol they come in on I can block them for example only on TCP and only in filter it down but I don't just block that IP address I don't there's nothing about them that I think I need to get to them where they need to get to me so blocking them is not a problem single hoster alias change it to there change it to mainly blocked IP address and if you haven't wrote a rule before with an alias you don't have to remember how it's done when you start typing it fills it out for you. Destination I'm not gonna pull down the whole list here but what this is as a destination is all the IP addresses we have a block of IP addresses assigned to our PSNs I don't care what IP address they originally may have been attacking I want them to block anything inbound to my firewall because there's nothing of value coming in from that person nothing I could see anyways and description manual block list simple as that and I go ahead and log this I have plenty of storage on my PSNs box to be able to log a lot so I do have this set to log packets that are handled by this rule because I can still see if they're going ahead and attacking it still because it can log the blocks from that rule so like I said this is the kind of process for the whole thing like how you go from seeing the rules what it looks like for the rules in place and still what the rules miss so you still always have to be vigilant and sometimes go down to your server level to look at some of those things as PSNs or any firewall can only do so much blocking now there are other methods about that you can go about this and for example and when you get to some of the more enterprise level companies you can put a web application firewall as a go-between so everything has to pass through the WAF before it gets to the other side of the server that way there's more analysis going on before it actually addresses your server for us that's just not necessary it just in a matter of fact this is actually hitting a proxy before it passes on to our actual server so we keep an Apache proxy in front of our screen connect slash connect wise control server but this is some of the analysis I wanted to walk you through because I had to block this person the other day there's not many people I've ever had to block it's rare this happens I don't know if it's also a result because of YouTube and people going hey I you talk about security so let's poke at your systems that's gonna happen you should always be prepared for that and if someone wants to try denial of service there's not a lot I can do about some things and this has happened other security researchers at different levels if someone really wants to dial service you they can just fling lots of IPs that are not in any bad reputation list and start just pausing up bandwidth because they're not doing anything if they're interested in refreshing your page but this is kind of that whole thing I wanted to talk about where one all these things that they're nice they're all layers but still these are some of the practical things you have to do after everything passes through those layers which because there's only a few IPs in there you can tell it's not being done too often hopefully this was helpful and you kind of get an idea of either the process my thought flow of how I get on there how I found it and how we eventually led to just blocking those addresses and for those of you wondering yes, you can block alias and things like that that's actually what PF Blocker does watch my video on that and I'll leave a link below to the Siracada video and the PF Blocker video that I did to kind of give you the setup to build your security model around PF Sense and setting this up All right, thanks Thanks for watching if you enjoyed this video go ahead and hit the thumbs up if you want to see more content from my channel go ahead and hit subscribe and the bell icon and hopefully YouTube will send you a notice if you're interested in contracting launch systems for any type of IT services work or consulting work go ahead and head over to laurancesystems.com and fill out our contact and get in touch with us if you would like to help the channel out in other ways you can use our affiliate links below in the description or we have a link directly to our launch systems page where we have a list of different affiliate offers and it's very appreciated if you use any of those for signing up any of the services and many of them offer you discounts if you want to head over to our forums there'll be a link in the description for our forums wherever they may be because we've been looking at different forum platforms but they'll always be relevantly linked right there all right once again thanks leave some feedback and comments below on this video if you loved it if you hated it I try to reply to everyone the people who hate and the people who love them so thank you very much and see you next time